F5 Discovers “CryptoSink” Monero-Mining Campaign

By   ISBuzz Team
Writer , Information Security Buzz | Mar 14, 2019 05:30 am PST

Researchers at F5 Labs, the threat intelligence arm of F5 Networks, have uncovered a new malware campaign dubbed “CryptoSink” used deploy an XRM (Monero) mining operation targeting Elastisearch systems.   

Key features include: 

  • The campaign exploits a five-year-old vulnerability (CVE-2014-3120) in Elasticsearch systems running on Windows and Linux 
  • On Linux, it delivers several previously unknown malwares which weren’t detected by antivirus solutions 
  • It uses previously unseen methods to kill competing crypto-miners on the infected machine and to persist on the server (by replacing the Linux remove command)   
  • It backdoors the server by adding the attacker’s SSH keys. 
  • It uses several command and control (C&C) servers; the current live C&C is located in China. 

The rise of crypto mining botnets and the decline in crypto currency value makes this a tougher competition. For full details on the attack:https://www.f5.com/labs/articles/threat-intelligence/-cryptosink–campaign-deploys-a-new-miner-malware